Given the Point of Sale (PoS) attacks in the news lately I'm sure many of you are thinking about, or acting on, architecting better defenses. I recently worked with a team at Cisco to perform this same analysis on how to properly defend point-of-sale networks from attack. The attack scenarios we used were modeled after the recent breaches, blackpos and other PoS malware attacks. In a nutshell, we analyzed the threats within the point of sale environment and architected a Cisco security solution that would provide the biggest impact with the lowest disruption to the PoS environment. We put a few tenets in place to ensure we ended up with the best solution:

Ensure coverage for the complete attack lifecycle; The Before, During and After phases an attack

These design goals led us to three cisco security solutions that can be used stand-alone or together as a system depending on your environment, budget and risk profile. The three security solutions that best meet the above design goals are:

Cisco Cyber Threat Defense (CTD)

Cisco Advanced Malware Prevention (AMP) for networks and endpoints

Cisco Next Generation FW (ASA with Firepower Services)

These three solutions cover the full attack continuum: Before, during and after. Here is a description of each phase:

Let’s consider three phases of the attack continuum: before, during and after a security event (such as an intrusion).

BEFORE: What we do to prepare ourselves. This is typically about discovering the nodes on our network, enforcing our written policy using technology, and finally hardening our network against attack as best we can.

DURING: What we do while we are actually being attacked. Attack detection, potentially blocking and defending also happens here.

AFTER: What we do if we are NOT successful in stopping an intrusion. Think day zero, APT and targeted attacks. This critical phase usually is based on a strategy of recognition (that we have been compromised), scope (identify what was affected), containment (of the intruder) and remediation (removal of the attacker, removal of their compromises and improvement of our defenses).

What links these three phases is context and visibility.

Before Phase

This phase is about hardening and enforcing written policy using technology. The most impactful technology you can deploy in this phase to protect PoS is of course network segmentation. And the primary tool we use is a next generation firewall like the ASA with Firepower services platform. This product does so many things other than segmentation but for segmentation here are the primary features. Stateful firewalling, Security Group Firewalling, Site-to-Site and Client VPN. The least well known of these is security group firewalling; a part of TrustSec. TrustSec is like software defined segmentation. TrustSec lets you define a segmentation policy in meaningful business terms, dare I say in “English”. It also uses contextual data to assign tags to data a network devices/host sends into the network. Context like user group, device type, device security posture, location, certificates, etc. The policy is derived from a tag-based matrix like show in the graphic below. For example, Exec BYOD tag cannot talk to a Prod HRMS tag. However an Exec PC tag can talk to a Prod HRMS tag. This contextual based dynamic segmentation provides a way to truly use technology to enforce a written business policy.

During Phase

The during phase utilizes all three solutions: CTD, AMP and NGIPS. Again, these solutions can work together or separately. In this phase CTD provides a powerful out of the box feature called 'suspect data loss'. This feature uses zones to determine if an abnormal amount or type of data is leaving your organization in an anomalistic way. So when malware goes to exfiltrate stolen data CTD sees this upload, via netflow, and will alert. AMP is able to detect malware in the during phase. AMP looks at the reputation and behavior of files as they traverse the network or drop onto a client running an AMP client. If a file has not been seen before then it is uploaded to the amp client automatically for analysis, sandboxing and a verdict is passed back to AMP. Malicious files can be dropped at the network appliance or at the AMP client. FireAMP currently runs on any NGIPS or NGFW appliance. The final solution for during is NGIPS, this applies snort rules to traffic to find malware or malware like activity. All of the known variants of PoS malware already have snort signatures. NGIPS also includes layer 7 application visibility and control for 100's of apps which will allow it to detect many of the data exfiltration and command & control methods even zero-day malware will use. All of these solutions incorporate multiple types of context into their alarms and data. Username, device type, location, traffic types, apps used, and much more. For CTD, Cisco ISE can feed context data over, like username and security group tag.

Here is a screenshot of CTD suspect data loss and alarm trends. You can clearly see the FTP upload in the graph:

Here is a screenshot of Cisco FireSight dashboard. FireSight manages both NGIPS and AMP, as well as ASA with FirePower Services. You can quickly see the threats and risky applications on your PoS network.

AFTER Phase

AMP

Cisco Advanced Malware Protection (AMP) technology uses retrospective analysis to look back in time to find patient 0, the scope of the malware file distribution and execution, and exactly how it was propagated host to host.

AMP runs on almost all of Cisco’s security platforms as an add-on license. It runs on email, web security, ASA with Firepower services, Windows, Mac and Android endpoints and Firepower appliances. In short, AMP does two things. First, it looks at all files passed through the network and performs a hash based file reputation lookup on them. If the file comes back as unknown from the Cisco AMP cloud then you can dynamically send the file to the cloud sandbox for detailed analysis and a verdict.

By ubiquitously deploying AMP throughout the major chokepoints in your network and hosts, you will then have a full picture of all files traversing the network, their malware disposition, and a history of how these files have move around your network.

In the Image below you can see the AMP network file trajectory view. This shows a retrospective (back in time) view of this piece of malware. It tells you exactly where it came from, how it was propagated and where it was propagated.

CTD

Another great feature of Cisco Cyber Threat Defense allows you to create security zone rules that will alert you if traffic flow breaks a zone boundary (a zone is typically a IP subnet range). This allows you to setup a pci zone with rules that would prohibit the transfer of data from the PCI zone to any other zone for example. CTD uses the network as a sensor, specifically Netflow, to obtain an untainted view of real-time traffic flow. This solution meets all three of our tenants. It is non-intrusive, and not inline, since it uses netflow data that is already available in your Cisco network. It can be installed very easily and zones created quickly. And finally it is excellent at finding targeted or zero day attacks given they will break from the normal PoS traffic flow thus being easy to detect by a tool like CTD. In a nutshell, CTD will be able to show you when traffic starts to do non-normal or “weird” things. In this feature, it is telling you that the communication flows you setup for host lock (ie PoS device A always talk just to Servers C,D &E) have been broken through.

Here is a screenshot of CTD with some zones setup in the easy to use relationship map:

Taking a before, during and after design approach to security in your point of sale network will greatly enhance your protection against compromise. Further, focusing on deployment of the three solutions we covered here will ensure you are targeting the biggest gaps in security first.